[Info-vax] Kernel Transplantation
Mark Berryman
mark at theberrymans.com
Fri Jan 19 11:19:00 EST 2024
On 1/18/24 11:38 AM, Simon Clubley wrote:
> On 2024-01-18, Mark Berryman <mark at theberrymans.com> wrote:
>>
>> Sorry, I am only infrequently on this forum.
>>
>> On my system EVL runs with exactly the privs I specified earlier but I
>> did do some digging.
>>
>> EVL is started by netacp in whatever account netacp is running using the
>> command file sys$system:evl.com. EVL neither raises nor lowers privs.
>> The startup command file normally looks like this:
>> $ ! Copyright (c) 1987 Digital Equipment Corporation. All rights reserved.
>> $ SET NOON
>> $ IF "''EVL$COMMAND'" .NES. "" THEN EVL$COMMAND
>> $ RUN SYS$SYSTEM:EVL
>> $ PURGE/KEEP=3 EVL.LOG
>> $ LOGOUT/BRIEF
>>
>> However, sometime in the dim and distant past (meaning I no longer
>> remember when or why) I inserted this line:
>>
>> $ SET PROCESS/PRIVILEGES=(NOALL,SYSNAM,OPER,SYSPRV,NETMBX,TMPMBX)
>>
>> which is why EVL is limited in privs on my system. Anyone concerned can
>> make the same edit.
>>
>
> Because that command is being run in the same process as the EVL listener
> it will not help constrain an attacker. This is because all an attacker
> needs to do in their shellcode is to reenable those privileges.
IIRC, you managed to crash EVL using an insecure setup. Crashing a
process is much different that convincing a process to run bogus code
and, of course, simply crashing EVL causes its process to exit.
With a secure setup, you can't get your malformed packets into EVL.
However, if you'd like to show how you can get EVL to run bogus code, in
any setup, then you will have raised a very valid concern. Until then,
I have addressed what concern you have raised.
Mark Berryman
More information about the Info-vax
mailing list